I see it’s a long story, but still relevant.
Most java apps cannot handle SNI, although it is a standard of more than a decade.
When the webserver serves more than one HTTPS site, there’s always a default. Java as an HTTPS client always checks the URL hostname with the default site’s certificate, which is nonsense.
Any browser can ask for the certificate of the requested site, instead of the default site, but java HTTPS client.
My problem is, that all the certs are installed on the nginx reverse proxy, which does the HTTPS offloading, communicates with the backends on HTTP.
Its default site is “https://sonar”, because gradle is a dummy like above too, so otherwise, it won’t work.
Now the problem is the same, but with sonar as a client, and gitlab as the hostname of the server…
I can not understand how it is possible, that java cannot use a standard this old.
I really don’t want to change the way we handle certificates!!!
Please tell me there’s a way to make java smart enough to match the 2006 Internet Explorer!
The host certificates on the server all signed by the corporate certificate which is installed in the container running sonarqube-developer 9.2.1
The error message is:
...
sonarqube_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
sonarqube_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
sonarqube_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
sonarqube_1 | at java.base/java.lang.Thread.run(Thread.java:829)
sonarqube_1 | 2021.12.09 15:02:55 INFO web[AX2ft4eACPyVT8dIAAAk][o.s.a.c.g.GitlabHttpClient] Gitlab API call to [https://gitlab/api/v4/projects] failed with error message : [Hostname gitlab not verified:\n certificate: sha256/oDMTiKg5kh+myA0Af85FALWobY6PTCPYr5cryNNDlbc=\n DN: CN=sonar\n subjectAltNames: [sonar]]
sonarqube_1 | javax.net.ssl.SSLPeerUnverifiedException: Hostname gitlab not verified:
sonarqube_1 | certificate: sha256/oDMTiKg5kh+myA0Af85FALWobY6PTCPYr5cryNNDlbc=
sonarqube_1 | DN: CN=sonar
sonarqube_1 | subjectAltNames: [sonar]
sonarqube_1 | at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:389)
sonarqube_1 | at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
sonarqube_1 | at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
...